AVC Denied Dhcp and Iptables.

Wart wart at kobold.org
Sun Jul 15 03:58:23 UTC 2007 

Daniel J Walsh wrote:
> piotreek wrote:
>> Hi guys i found some strange messages in my logs. It seams that 
>> selinux is blocking a dhcp  an Iptables.
>> I found similar post on group about DHCP but my messages are 
>> different.I am using FC7 latest policy update didn't resolve the problem.
>> P.S I am using firestater as my firewall.
> I believe you will need to write custom policy to make this work.  You 
> can simply add these rules using audit2allow.
> 
> # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
> 
> # semodule -i mydhcpc.pp
> 
> Having dhcpc allowed to turn on/off firewall rules is of debatable 
> security risk.

I'm noticing similar behavior with dhcp and ntp.  It seems that for some 
reason the dhcp client is trying to play with ntp (probably because I 
define the ntp server in the dhcp server config) and failing:

type=AVC msg=audit(1184457984.239:75): avc:  denied  { remove_name } for 
  pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1184457984.239:75): avc:  denied  { unlink } for 
pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1184457984.253:76): avc:  denied  { add_name } for 
pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1184457984.253:76): avc:  denied  { create } for 
pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1184457984.254:77): avc:  denied  { write } for 
pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:var_lock_t:s0 tclass=file

I can easily write a custom policy to allow this, but it feels like a 
common enough configuration (ntp server configured by dhcp) that there 
should be a global policy (or boolean?) to allow this to work.

--Mike

More information about the fedora-selinux-list mailing list